Don’t Wear your Data on your Sleeve: Why You Should Be Wary of Fitness Trackers from a Security Standpoint

Begin Learning Cyber Security for FREE Now!

Don’t Wear your Data on your Sleeve: Why You Should Be Wary of Fitness Trackers from a Security Standpoint

Author: Olivia | Published on January 4, 2017 | Views: 2192

Recently, I was reading a blog post about all the hot Christmas gifts for 2016 and their inherent vulnerabilities. Of course, there were the usual suspects like computers and mobile devices, but more IoT devices crept onto the list, including smart holiday lights that can be turned on and off via an app.

Also included in the list, fitness trackers. And then it struck me how little attention I would think we give to these devices from a security standpoint.

On Christmas Day 2015, Fitbit’s app was the most downloaded on Apple’s app store, pointing to the craze surrounding this seemly helpful technology, a craze which has only grown since that year.

Especially with the rush to get in shape quickly preceding the holidays, you can see the appeal of having a wristband that can track your total steps taken, total stairs climbed, total hours of sleep and total calories burned in a day, to name a few.

It’s as though you can feel a 6 pack forming the second you slip the band onto your arm. And it’s so easy, all the fitness information you need aggregate on one platform.

In an early 2016 study titled “Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security” from Open Effect, along with the Citizen Lab at the Munk School of Global Affairs at the University of Toronto, they studied eight popular fitness trackers and found that all but the Apple Watch, “wirelessly emit a persistent unique identifier over Bluetooth. This leakage lets third parties, such as shopping centers or others interested in location-based monitoring, collect and map out people’s movements over time.”

The gist is that seven out of eight fitness tracking devices emit persistent unique identifiers (Bluetooth Media Access Control address) that can expose their wearers to long-term tracking of their location when the device is not paired, and connected to, a mobile device.

The study also found vulnerabilities that could allow the user or an intruder to manipulate the data generated, which would falsify activity levels.

How does this happen?

Well, the main problem is that the devices have an unchanging MAC address (Media Access Control address) when not paired with a smartphone. This means monitoring equipment could detect this MAC address and use it to track users over extended periods of time without the user’s knowledge.

And while this study is fairly dated now, and many of the issues for those generations of devices patched, it points to a problem in which companies rush to get their products to market without proper testing.

Likewise, it suggests how consumers often fail to do their research prior to purchasing these products without asking questions about where their data is sent to, where it is stored, and which other parties have access to it.

And it’s not just the device that has its issues, but the corresponding applications as well. For example, the Garmin Connect app failed to allow the transmission of personal data to be encrypted using HTTPS.

Other blogs will tell you that as a user, you should be careful to read the company’s privacy policy and following news surrounding smart devices, but we’re all much too busy for that.

I do suggest, however, that you conduct your research prior to purchase. In addition, take security precautions such as: naming your device a more random, unique name, implementing strong passwords and being weary of who can follow you on these apps.

This technology is not going away, so as consumers the best we can do is prepare ourselves.

There are many implications as to what role fitness trackers have in our digital footprint and what could happen in the future if we aren’t careful.

Similar to my recent question regarding digital privacy and how a person’s device could be used to implicate them in a court of law, as with the Amazon Echo, one Pennsylvania woman’s claim that she was sexually assaulted was undermined by location data provided by her Fitbit.

If we consider that this data can be tampered with, each of us should feel skepticism regarding how this information is used in the world of criminal justice as well as in the insurance sector, since this data can be applied to the judgement of individual health risk and set premiums.

Many makers of fitness trackers, like Samsung, Fitbit, Apple, Jawbone, Nike, and Sony, generally stress their commitment to privacy, and claim they do not ‘sell’ the data they collect.

But, Jawbone, for instance, in its policy claims that your data might be transferred to third parties for the purposes of a ‘business deal.’ Whatever that means.

With regards to what US law has to say, the FTC weighed in on data collection with some relevant warnings about fitness wearables and recommendations for manufacturers, but concluded that “IoT-specific legislation at this stage would be premature.”

Those with strong opinions on the topic, like Jessica Rich, director of the Bureau for Consumer Protection at the FTC, said “data from fitness trackers could end up in the hands of data brokers or other companies, and eventually be used to market other products and services to (users); make decisions about (their) eligibility for credit, employment, or insurance; and share with yet other companies.”

Thus far, there hasn’t been a major data breach for any of the named companies, however toy-maker VTech, which makes smart watches for children, discovered that the personal information from approximately five million customer accounts related to kids’ profiles had been compromised last year.

So, that could mean some fitness trackers with more mature data are ticking time bombs to hackers just waiting to be set off.

As we reflect on why data security is gaining greater and greater importance, it’s because information being stored on these wearable devices doesn’t go away. You cannot change key identification pieces, like your Social Security number. And when they’re tied to your health information it becomes yet another layer of vulnerability.

Gary Davis, chief consumer security evangelist at Intel Security, said, “The information that’s contained on your wearable that’s stored either on your smartphone or stored downstream on a cloud service is worth ten times that of a credit card on a black market.”

With health information, it goes a step further. “This person had this injury, let’s process a claim for a fraudulent pain prescription and go sell it on the black market. It’s hard to clamp down on that because of HIPAA. There’s a reason why you hear about all these mega breaches going after healthcare companies. Hackers realize this is high value stuff,” Davis said.

Trust me when I say I want you to get fit. But for now, it may be best to stick to the old fashioned routine of heading to the gym and tracking your numbers with pen and pencil.

And if you decide that while you’re approaching mile 1, you want to get certified as you work out, be sure to use code OBLOG50 for half off your test.

The Protecting Data in Transit Certification Course especially, provides useful insight into encryption, data integrity and organizational data security, as well as implementing secure transport protocols such as: like IPsec, SSH, SSL/TLS. Knowing that the files we send and receive have not been modified due to data corruption or by attackers requires specialized capabilities that will help keep your information safeguarded.

Olivia Lynch (Cybrary_Olivia) is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the field of cyber security. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.